avc denied from postgresql
Richard Hally
rhally at mindspring.com
Sat Jul 3 07:25:05 UTC 2004
Russell Coker wrote:
> On Sat, 3 Jul 2004 09:39, Richard Hally <rhally at mindspring.com> wrote:
>
>>Russell Coker wrote:
>>
>>>Let's get back to basics and look at the concepts rather than AVC
>>>messages.
>>>
>>>/etc/rc.d/init.d/postgresql uses su to change uid to start the daemon,
>>>this is a problem as it's not compatible with the usual su operation.
>>
>>Huh? su (Substitute User) has been to "Change the effective userid and
>>group id" since I first learned about it in 1978. And is being used for
>>that purpose in the init.d/postgresql stript.
>
>
> It's purpose is to change the effective UID/GID for interactive sessions.
>
>>From su(1) on Fedora:
> su - run a shell with substitute user and group IDs
>
>>From su(1) on Debian:
> su is used to become another user during a login session.
>
> There's no mention I could find in the documentation of using su for starting
> daemons.
>
> I think that there is no good reason for using su in this manner, and some
> good reasons for not doing so. The postgresql start scripts will have to be
> changed.
>
>
>>>/etc/rc.d/init.d/postgresql does lots of things other than just starting
>>>a daemon, for example the code after:
>>>echo -n $"Initializing database: "
>>
>>Maybe we need a restorecon where it creates the data directory(if not
>>already present (a rare occurance)).
>
>
> It might be rare in terms of the number of times the daemon is started, but
> from my understanding of the script it's expected to be done the first time
> the daemon is started. So it's inevitable that it happens at least once, and
> therefore we have to handle it.
>
>
>>The real work part of initializing the data directory is done with "su
>>-l postgres -c ..." just like the part that starts the server(i.e. su -l
>>postgres -c ...)
>>
>>What is it about pam_selinux that is causing the problem?
>
>
> The fact that there is no identity, role, and domain defined for Postgres. We
> can configure the SE Linux policy to allow this, but it's the wrong approach.
>
Ok, now I understand making a distinction about using su for starting a
deamon.
What is the problem with defining a user role for postgres? And how
would one go about doing that?
TFTH
Richard Hally
More information about the selinux
mailing list